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(54) AES Encryption circuit 

(57) A round processing unit in an encryption circuit 
comprises: a first Round Key Addition circuit (204) that 
adds a round key value to input data; an intermediate 
register/Shift Row transformation circuit (206) that tem- 
porarily stores the output of the first Round Key Addition 
circuit (204) and executes Shift Row transformation; a 
Byte Sub transformation circuit (207) into which the val- 
ues of the intermediate register/Shift Row transforma- 
tion circuit (205) are inputted and which executes Byte 
Sub transformation; a second Round Key Addition cir- 
cuit (208) into which the values of the intermediate reg- 
ister/Shift Row transformation circuit (206) are Inputted 



and which adds round key values; a Mix Column trans- 
formation circuit (210) that executes Mix Column trans- 
formation upon the outputs of the second Round Key 
Addition circuit (208); and a second selector (203) that 
outputs to the second Round Key Addition circuit (204) 
one of the outputs of a first selector (202), the interme- 
diate register/Shift Row transformation circuit (206), the 
Byte Sub transformation circuit (207), and the Mix Col- 
umn transformation circuit (210). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
level of high-speed processing In the Implementation of 
the AES block cipher. 
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Description 

BACKGROUND OF THE INVENTION 
5 Technical Field 

[0001] The present invention relates to an encryption circuit for implementing in hardware the Rijndael algorithm, 
which is the next generation common key block encryption standard, known as the AES (advanced encryption stand- 
ard), and will replace the current common.key block encryption standard In the US, called DES. 

10 

Description of Related Art 

[0002] A great variety of services are being considered that involve the Internet, Including electronic commerce and 

electronic money. These technologies are used not just In the daily lives of individuals, but also in a wide range of 
15 fields, Including transactions among corporations and improving productivity. In particular, it is expected that encryption 

functions will be loaded onto smart cards and mobile handsets, for the purpose of verifying the identity of Individuals, 

and that these technologies will be widely used for authentication, digital signatures, and data encryption. 

[0003] Common key cryptography is used In these applications to prevent third parties from tapping on the Internet. 

The current standard adopted In the US for common key cryptography is DES; as its replacement, the AES (advanced 
20 encryption standard), known as the Rijndael algorithm, has been selected to be next generation common key block 

cryptography standard, and this algorithm is becoming the new standard. (The AES draft is available at http://csrc.nist. 

gov/publlcations/drafts/dfips-AES.pdfV 

[0004] AES is a block cipher for processing in block lengths of 1 28 bits, and the encryption algorithm, as shown in 
FIG. 1 , is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule 
2s unit10.Theroundfunctlonunrt2Q.comprisesan input register 21 that temporarily stores Input data, an XQF^ processing 
unit 22 that XORs the input data and expanded key segment, a round processing unit 23, a final round processing unit 
24 and an output register 25 that temporarily stores output data. 

[0005] The round processing unit 23 comprises a Byte Sub transformation unit 31 , a Shift Row transformation unit 
32, a Mix Column transformation unit 33 and a Round Key Addition unit 34; the final round processing unit 24 performs 
30 the processing of the round processing unit 23 except forthe Mix Column transformation 33; It comprises a Byte Sub 
transformation unit 35, a Shift Row transformation unit 36 and a Round Key Addition unit 37. • 
[0006] Round processing iterated; the number of rounds Nr including the final round depends on the key length 
inputted into the key schedule unit 1 0, and is defined as shown in Table 1 . 

35 [Table 1] ; 



Key Length and Number of Rpuncfe 


Key Length 


Nr 


128bit 


10 • 


I92brt 


12 


256bit 


14 



[0007] Thus for each key length round processing Is executed Nr-t times, and at the end the final round processing 
is executed. When the key length Is 128 bits, round processing is executed 9 times; when 1 92 bits, 11 times; and when 
256 bits, 13 times; and then in each case the final round processing Is executed. Round keys generated at the key 
schedule unit 10 are Inputted into the XOR processing unit 22, round processing unit 23 and final round processing 
unit 24. 

[0008] The key schedule unit 10 generates round keys.based on the key generation schedule specified in the AES 
draft; that algorithm Is shown in FIG. 2. 

[0009] The AES Proposal specification (AES Proposal: Rijndael, at http-7/csrc. nist.gov/encryptiorVaes/rijndael/Rljn- 
dael.pdf) introduces 2 hardware Implementations for AES block cipher circuits. 

[0010] One of these Is a method for hardware Implementation, in 128 bit units, of ail the functions shown In FIG. 1 
as they are (hereinafter, "conventional example 1"). In this case, for encryption and decryption, the order of processing 
of the functions Is reversed, and thus it is necessary to prepare separate processing circuits for encryption and de- 
cryption. 

[0011] Also, because, as shown In Table 1 , it is necessary to change the number of times round processing is exe- 
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cuted depending upon the key length, It is necessary to create circuits for each key length. 

[0012] Furthermore, because of the reversal of order between encryption and decryption, the order of key generation 
in the key schedule unit 1 0 forthe round keys used in the round function unit 20 has to be reversed between encryption 
and decryption. Therefore, either there has to be 2 separate key schedule units, for encryption and for decryption, or 

s a method has to be devised for using the key schedule unit 1 0 for both encryption and decryption. 

[0013] The second method, as shown In FIG. 3, involves creating acoprocessorBOthat hasa Byte Sub transformation 
unit 51 and a Mix Column transformation unit 52, and Implementing in hardware only the Byte Sub transformation and 
the Mix Column transformation functions, and having all other functions incorporated as software into a program 41 , 
and then processing with a CPU 40 (hereinafter, "conventional example 2"). : 

10 [0014] In this case, Byte Sub transformation and Mix Column transformation, which are unsulted for processing by 
the CPU 40 for reasons of processing time, are implemented in hardware as the coprocessor50, and the other process- 
ing is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced. 
[0015] If we suppose that the AES block cipher is to be incorporated into a smart card or the like, the functions 
required of an encryption circuit would be to maintain a certain level of processing speed, white keeping the scale of 

*5 the circuit small. With these requirements, the conventionally proposed method of Implementing all the functions in 
128-bit units results In the scale of circuit being too large : making the loading thereof onto a smart card difficult. With 
the method of Implementing In hardware only the Byte Sub transformation and the Mjx Column transformation, and 
processing the other functions with software, there Is the problem of the processing speed requirements not being 
fulfilled. 

20 [001.6] Moreover, with the key schedule unit 10 that generates the round keys, if all the round keys are stored in 
memory, a large-capacity memory is needed, and this would make the scale of circuit large. Therefore, in order to 
reduce the scale of circuit without reducing processing speed, it is desirable to generate round keys with a circuit 
constitution that doe3 not require storing the entire expanded key in memory. 

25 SUMMARY OF THE INVENTION 

[001 7] It is a n object of the present invention to present an encryption circuit that is small in scale and that can achieve 
a certain level of processing speed when Implementing the AES block cipher. 

[001 8] The present invention provides an encryption circuit that generates from a cipher key a plurality of round keys 
30 having a number of bits corresponding to a predetermined processing block length and executing, for each processing 
block length, input data and round key encryption/decryption processing/by means of a round function unit comprising 
an XOR operation unit that XORs the input data and one of the round keys and a round processing unit that iterates 
round- processing that includes Byte Sub transformation, Shift Row transformation, Mix Column transformation and 
Round Key Addition, wherein: 

35 the round processing unit comprises : a first selector that segments input data Into execution block lengths smaller than 
the processing block length; a first Round Key Addition circuit that adds the round key value to input data for each the 
execution block length; an intermediate reg|ster/Shift Row transformation circuit that temporarily stores the output of 
the first Round Key Addition circuit and executes Shift Row transformation using the processing block length; a Byte 
Sub transformation circuit wherein the intermediate register/Shift Row transformation circuit value Is inputted for each 

<to the execution block length and Byte Sub transformation is executed; a second Round Key Addition circuit wherein the 
intermediate register/Shift Row transformation circuit value is Inputted for each the execution block length and the 
round key value Is added for each the execution block length; a Mix Column transformation circuit executing Mix Column 
transformation on the output of the second Round Key Addition circuit; and a second selector that outputs to the first 
Round Key Addition circuit one output from among the outputs of the first selector, intermediate register/Shift Row 

4s . transformation circuit, Byte Sub transformation circuit, or Mix Column transformation circuit. 

[0019] Here, the execution block length can be a multiple of 8 bits, the processing block length can be 128 bits and 
the execution block length can be 32 bits. 

[0020] Further, the key length of the cipher key can be any of 1 28 bits, 1 92 bits or 256 bits. 

[0021] Also, the Byte Sub transformation circuit can comprise a matrix operation unit for decryption that executes a 
50 matrix operation on input data; a third selector that outputs either the Input data or the output of the matrix operation 
unit for decryption; an Inverse operation unit for executing an inverse operation on the data outputted from the third 
selector, a matrix operation unit for encryption that executes a matrix operation on the data outputted from the Inverse 
operation unit; and a fourth selector that outputs either the output of the inverse operation unit or the output of the 
matrix operation unit for encryption. 
» [0022] Further, the matrix operation unit for decryption and the matrix operation unit for encryption comprises an 
XOR circuit so as to perform 8-blt operations at one clock cycle and the matrix operation unit for decryption and the 
matrix operation unit for encryption comprises an XOR circuit so as to perform 1-bit operations at one clock cycle. 
[0023] Also.theintermediate register/Shift Row transformation circuit can be used for both encryption anddecryption 
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through the reversal of order of input of shift data relating to amount of shift for data to be Inputted into the intermediate 
register/Shift Row transformation circuit, the input order for decryption being the reverse of the order for encryption. 
[0024] Further, the Mix Column transformation circuit can comprise a plurality of multiplication units with unique 
multipliers and an XOR circuit that performs XOR operations for the plurality of multiplication units, the Mix Column 

5 transformation circuit executing a matrix operation between data inputted Into each multiplication unit and the multiplier 
established for each multiplication unit. In this case, the Mix Column transformation circuit comprises 4 operation units 
having 4 multiplication units capable of 8-bit unit operations and XOR circuits that execute XOR operations based on 
the outputs of the 4 multiplication units. This multiplication units can control 2 multipliers and are used for both encryption 
and decryption and the multiplication units can be constituted to control addition values from high-order bits. 

10 [0025] Also, an encryption circuit can be constituted so as to have a key expansion schedule circuit that generates 
from the cipher key, as an expanded key segmented into bit numbers corresponding to the execution block length, a 
plurality of round keys With bit numbers corresponding to a predetermined processing block length. The key expansion 
schedule circuit comprises: 

15 a fifth selector that segments a cipher key Into the number of bits corresponding to the execution block length and 

outputs the same; 

a shift register to which fiip-flop circuits are connected at a plurality of stages, the flip-flop circuits latching data In 
units of the execution block length; 

a first XOR circuit that XORs the output of the final stage flip-flop circuit of the shift register with one constant 
20 selected from among a group of constants; 

a sixth selector Into which are inputted the outputs of those flip-flops of the shift register that are involved in oper- 
ations for encryption and the outputs of those flip-flops involved in operations for decryption, and which selectively 
outputs one of these; 

a Rot Byte processing circuit that rotates the output of the sixth selector; 
ss a seventh selector into which the output of the sixth selector and the output of the Rot Byte circuit is inputtedand 

which selectively outputs one of these; 

a Sub Byte processing circuit that executes Byte Sub transformation oh the output of the seventh selector for each 
the execution block length; 

an eighth selector Into which the output of the sixth selector and the output of the Sub Byte processing circuit are 
so Inputted, and which selectively outputs one of these; : 

a second XOR circuit that executes an XOR operation based on the output of the first XOR circuit and the output 
of the eighth selector; and 

a shift register unit selector that selectively outputs, to those flip-flops of the shift register the outputs of which are 
subject to operations for encryption, either the output of the second XOR circuit or the output of the adjacent stage 
33 flip-flop. 

[0026] Here, the shift register comprises 8 flip-flops executing data processing in 32-bit units, and the sixth selector 
is constituted so that the outputs of the second, fourth, sixth and eighth flip-flops from the bottom from among the flip- 
flops are inputted therein, and that it outputs one of these. 

40 [0027] Also, through the input into the seventh selector of the output of the intermediate register/Shift Row transfor- 
mation circuit and the Input into the second selector of the output of the Sub Byte processing circuit, a single circuit 
can be used for the Sub Byte processing circuit and the Byte Sub transformation circuit of the round processing unit. 
[0028] From the following detailed description in conjunction with the accompanying drawings, the foregoing and 
other objects, features, aspects and advantages of the present Invention will become readily apparent to those skilled 

45 m the art. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0029] 

FIG. 1 Is a block diagram of AES 'processing using the Rijndael algorithm; 
FIG. 2 is a key schedule program Est; 

FIG. 3 is a block diagram showing one envisioned circuit implementation; 

FIG. 4 is a block diagram of a round function unit adopted in a first embodiment of the present invention; 
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